找回密码
 立即注册
首页 黑乌鸦事件 查看内容
  • QQ空间

复杂的僵尸网络正在劫持微软的服务器来挖掘密码代币

2020-4-2 14:57

 

数据中心和云安全公司Guardicore今天发布了一份报告,详细描述了一个僵尸网络在全球劫持微软SQL服务器(MS-SQL)的大规模行动,迫使它们开采加密货币Monero和Vollar。


该公司将这种病毒称为“Vollgar”(Vollar和vulgar的合成词),自2018年5月首次发现以来,这一运动一直在继续,每天约有3000台新机器被感染,涉及各行各业,包括医疗保健和电信行业。


根据Guardicore,受感染最严重的国家是中国、印度、美国、韩国和土耳其,绝大多数的攻击机器位于中国。2019年12月的活动高峰引起了该公司的注意,最终导致了今天的报告。


报告中写道:“在这两年的活动中,竞选活动的攻击流程依然相似——彻底、精心策划、吵吵嚷嚷。”


Guardicore的名字中“粗俗”的部分来自于攻击者声称拥有被劫持机器的侵略性。在蛮力登录尝试后确保访问安全后,僵尸网络更改了机器上的许多设置以下载恶意软件——但它也消除了可能启用其他类型恶意软件的进程。这样,僵尸网络就可以尽可能多地使用被感染机器的资源。


Monero是一种加密货币,僵尸网络经常通过受感染的机器来窃取它。今年1月,一名安全研究人员在美国国防部(United States Department of Defense)运营的一个web服务器上发现了一个Monero-mining方案。此外,去年年底,长期运行的Stantinko僵尸网络被发现使用YouTube在电脑上安装Monero-mining模块。


Guardicore发布了检测脚本和感染指示器,以帮助服务器管理员确定其MS-SQL服务器是否受到感染。

 

Guardicore, a data center and cloud security company, issued a report today detailing an extensive campaign by a botnet to hijack Microsoft SQL Server (MS-SQL) machines around the globe and force them to mine the cryptocurrencies Monero and Vollar.

 

Dubbed “Vollgar” by the company—a portmanteau of Vollar and vulgar—the campaign has continued on since it was first detected in May 2018, steadily infecting about 3,000 new machines daily across all sorts of industries, including healthcare and telecommunications.

 

According to Guardicore, the most-infected countries are China, India, the United States, South Korea, and Turkey, with the vast majority of attacking machines located in China. A peak of activity in December 2019 caught the company’s attention, eventually leading to today’s report.

 

“During its two years of activity, the campaign’s attack flow has remained similar—thorough, well-planned, and noisy,” the report reads.

 

The “vulgar” part of Guardicore’s naming comes from how aggressive the attackers have been at claiming possession of hijacked machines. After securing access following brute force login attempts, the botnet changes a number of settings on the machine to download malware—but it also eliminates processes that could enable other types of malware. That way, the botnet can use as much of the infected machine’s resources as possible.

 

Monero is a cryptocurrency that botnets often mine via infected machines. In January, a security researcher discovered a Monero-mining scheme on a web server operated by the United States Department of Defense. Also, late last year, the long-running Stantinko botnet was discovered to be using YouTube to install Monero-mining modules on computers.

 

Guardicore has released a detection script and indicators of infection to help server administrators determine whether their MS-SQL servers are infected or not.

 

来自: Decrypt